b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n                              Advisory Letter\n Critical Infrastructure Assurance Program,\n                   Department of the Interior\n\n\n\n\n                                  Report No. 00-I-704\n                                  September 2000\n\x0c\x0ccompletion in the fall of 2000. We found that the Department had adequately identified the\ncritical assets and submitted its Critical Infrastructure Protection Plan (CIPP) to the National\nCritical Assurance Office for review by an Expert Review\nTeam (ERT). The Department has taken or plans to take the actions necessary to incorporate\nthe ERT\xe2\x80\x99s suggested improvements.\n\nWe also found, that the Department had not documented the results of the periodic reviews\nregarding its threat environment.2 The Departmental Manual (375 DM 19.8) states:\n\n         Each bureau will conduct periodic reviews of its Information Technology (IT)\n         security program to determine its effectiveness and to re-certify the adequacy of\n         the installed security safeguards. These reviews may use existing reports, such\n         as those prepared for risk analyses, IT certifications, Privacy Act inspections,\n         Departmental Management Control Evaluations, and Inspector General audits.\n         The results of these reviews should serve as a basis for the annual bureau IT\n         security Plan.\n\nDepartmental IT officials told us that these reviews were performed for each bureau but were\nnot documented. We believe that the review process should have included written notifications\nto bureaus concerning the review, analysis, assessments, implementation of corrective actions,\nand results of the review. In that regard, without adequate documentation of the review\nprocess, there was no accountability for the actions taken.\n\nRecommendations\nWe recommend that the Department\xe2\x80\x99s Chief Information Officer (CIO):\n\n    1. Ensure that the Department establishes and implements a requirement to document the\nperiodic threat review process that includes written notifications to bureaus concerning the\nreview, analysis, assessments, and implementation of corrective actions.\n\n    2. Ensure that the CIPP is resubmitted to the ERT for approval.\n\nAssistant Secretary for Policy, Management, and Budget\n Response and OIG Reply\n\n\n\n\n2\n Threats can be external (from outside the organization) or internal (from employees or contractors).\nThreats also are natural (earthquakes or hurricanes), accidental (equipment failure or operator errors), or\nintentional (terrorists, hackers, or malicious employees).\n\n                                                       2\n\x0cIn the September 27, 2000 response (Appendix 2) to the draft report from the Assistant\nSecretary for Policy, Management and Budget (AS/PMB), the AS/PMB concurred with the\nrecommendations. The AS/PMB further stated that the CIO will, by December 15, 2000,\nensure that the Department establishes and implements a requirement to document the periodic\nthreat review process that includes written notifications to bureaus concerning the review,\nanalysis, assessments, and implementation of corrective actions (Recommendation 1). It further\nstated that by December 15, 2000, the requirement to document the periodic threat review\nprocess will be included in the Department\'s Critical Infrastructure Protection Plan and\nsubmitted to the National Critical Assurance Office for review by the ERT (Recommendation\n2).\n\nBased on the response, we consider both recommendations resolved but not implemented\n(Appendix 3). Accordingly, the unimplemented recommendation will be referred to your\nOffice of Financial Management for tracking of implementation.\n\nScope of Review\nOur review was conducted as part of a Governmentwide four-phase PCIE review on\nimplementation of PDD-63. To accomplish our review, we conducted interviews with the\nCritical Infrastructure Assurance Officer and his staff, the CIO, and other IT officials to obtain\ninformation concerning the critical infrastructures and planning processes used by the\nDepartment. The four phases will review the adequacy of:\n\n    # Agency planning and assessment activities for protecting critical physical and cyber-\n      based infrastructures (Phase I).\n    # Agency implementation activities for protecting cyber-based infrastructures (Phase 2).\n    # Agency planning and assessment activities for protecting critical non-cyber\n      infrastructures (Phase 3).\n    # Agency implementation activities for protecting critical non-cyber infrastructures.\n      (Phase 4).\n\nThe results of our review of the Departmental cyber-based planning efforts under Phase 1 and\nthe review steps that were developed by the PCIE working group are detailed in Appendix 1.\nThe results of the review will also be sent to the PCIE working group for inclusion in a\ngovernmentwide report concerning the security of Federal critical infrastructures.\n\nBackground\nAdvances in information technology have resulted in increasing the automation and interlinking\nof physical and cyber-based infrastructures and have created new vulnerabilities to intentional\n\n\n\n                                                 3\n\x0cor unintentional infrastructure attacks from human error, weather, and equipment failure that\ncould significantly harm the Nation\xe2\x80\x99s economy and military capability.\n\nPDD-63, which was signed on May 22, 1998, ordered the strengthening of the Nation\xe2\x80\x99s\ndefense against terrorist acts, weapons of mass destruction, and assaults on critical\ninfrastructures that would diminish the ability of the Federal Government to protect the national\nsecurity and ensure general public health and safety; of the state and local governments to\nmaintain order and deliver minimum essential public services; and of the private sector to ensure\nthe orderly functioning of the economy and the delivery of essential telecommunications, energy,\nfinancial, and transportation services. PDD-63 further directs the Federal Government to\neliminate any significant vulnerability to both physical and cyber attacks on its critical\ninfrastructures by May 22, 2003.\n\nThe Department\xe2\x80\x99s CIPP identified Hoover Dam, Shasta Dam, Grand Coulee Dam, and the\nMain Interior Building and the Bureau of Reclamation\xe2\x80\x99s Supervisory Control and Data\nAcquisition computer system supporting dam operations as national critical infrastructures.\n\nSince this letter\xe2\x80\x99s recommendations are considered resolved, no further response to the Office\nof Inspector General is required ( see Appendix 3).\n\nThis advisory letter will be listed in our semiannual report to Congress, as required by Section\n5(a) of the Inspector General Act (5 U.S.C. app.3).\n\n\n\n\n                                                4\n\x0c                                                           SCHEDULE OF REVIEW RESULTS\n\n                                                                Cause                         Estimated Estimated Estimate is\n                                                          If "No" Answer in                    Date of    Cost of   in Agency\n          Review Step                     Yes   No    N/A     Column (d)            Effect    Resolution Resolution CIP Budget     Recommendation\n             (a)(b)                       (c)   (d)   (e)         (f)                 (g)         (h)       (i)         (j)             (k)\n\n A.1 Has agency completed its\nCritical Infrastructure Protection Plan\n                                          X\n(CIPP)?\n\n A.2 If the agency does not plan to\ncomplete a CIPP, is it because it is\n                                                      X\nnot a Phase I/II agency subject to\nPresidential Decision Directive (PDD)\n63?\n\n A.3 Identify agency\'s cyber-based\nassets that may be subject to PDD\n                                                       X\n63. Does agency management\nagree that any of the assets should\nbe subject to PDD 63?\n A.4 For agencies that have\nprepared a CIPP, did the Critical\n                                          X\nInfrastructure Coordination Group\nsponsor the required "expert review\nprocess" for the CIPP? If an Expert\nReview Team (ERT) review was not\nperformed, then determine the\n"cause" and continue the remaining\nsteps.\n\nA.5 If the Critical Infrastructure\nCoordination Group completed the\n                                                X          The Department\n                                                           incorporated many of\n                                                                                        N/A     Jul-00      N/A        N/A       Ensure that the CIPP is\n                                                                                                                                 resubmitted to the ERT for\nexpert review and found the CIPP to                        the Expert Review                                                     approval.\nbe deficient, has the agency taken                         Team\'s suggested\nadequate remedial action(s)?                               improvements and has\n                                                           made further revisions\n                                                           during our audit.\n A.6 Did the CIPP require the\nappointment of a Chief Infrastructure\n                                          X\nAssurance Officer (CIAO), who will\nhave overall responsibility for\nprotecting the agency\'s critical\ninfrastructure?\n\nA.7 Has the agency appointed a\nCIAO?\n                                          X\n\n\n\n                                                                                    5\n\x0c                                                                Cause                       Estimated Estimated Estimate is\n                                                          If "No" Answer in                  Date of    Cost of   in Agency\n          Review Step                     Yes   No    N/A     Column (d)          Effect    Resolution Resolution CIP Budget   Recommendation\n             (a)(b)                       (c)   (d)   (e)         (f)               (g)         (h)       (i)         (j)           (k)\n\n A.8 Does the CIPP require the\nagency to identify its cyber-based\n                                          X\nMission Essential Infrastructure\n(MEI)?\n\n A.9 Does the CIPP identify a\nmilestone for identifying its\n                                                X         The identification of\n                                                          cyber-based MEI was\n                                                                                      N/A      N/A        N/A        N/A            N/A\n\ncyber-based MEI?                                          completed prior to\n                                                          developing the CIPP.\n A.10 Does the agency CIPP require\nan evaluation of new assets to\n                                          X\ndetermine whether they should be\nincluded in its MEI?\n\nA.11 Does the CIPP require the\nagency to perform vulnerability\n                                          X\nassessments of its cyber-based\nMEI?\n\nA.12 Does the CIPP require periodic\nupdates of the assessments?\n                                          X\n A.13 Does the CIPP identify\nmilestones for completing the\n                                          X\nvulnerability assessments?\n\n A.14 Does the CIPP require risk\nmitigation relative to potential damage\n                                          X\nstemming from each vulnerability?\n A.15 Does the CIPP provide for\nperiodic testing and reevaluation of\n                                          X\nrisk mitigation steps (policies,\nprocedures, and controls) by\nagency management?\n\n A.16 Does the CIPP provide a\nmilestone for taking steps to mitigate\n                                          X\nrisks?\n\nA.17 Does the CIPP require\nestablishment of an emergency\n                                          X\nmanagement program?\n\n\n\n\n                                                                                  6\n\x0c                                                               Cause                           Estimated Estimated Estimate is\n                                                         If "No" Answer in                      Date of    Cost of   in Agency\n          Review Step                    Yes   No    N/A     Column (d)              Effect    Resolution Resolution CIP Budget   Recommendation\n             (a)(b)                      (c)   (d)   (e)         (f)                   (g)         (h)       (i)         (j)           (k)\n\n A.18. If the answer to A.17 is yes,\ndoes the CIPP specify that the\n                                         X\nemergency management program\nincludes:\na) Incorporation of indications and\nwarnings?\n\nb) Incident collection, reporting, and\nanalysis?\n                                         X\nc) Response and continuity of\noperation plans?\n                                         X\nd) A system for responding to\nsignificant infrastructure attacks\n                                         X\nwhile the attacks are under way,\nwith the goal of isolating and\nminimizing damage?\n\ne) Notification to OIG criminal\ninvestigators of infrastructure\n                                               X         Although the CIPP did\n                                                         not include a\n                                                                                         N/A      N/A        N/A        N/A            N/A\n\nattacks?                                                 requirement to notify the\n                                                         OIG, the Departmental\n                                                         Manual (375 DM 19.9,\n                                                         B(2)) requires the\n                                                         notification.\n A.19 Does the CIPP require\nestablishment of a system for\n                                               X         Although the CIPP did\n                                                         not include a\n                                                                                         N/A      N/A        N/A        N/A            N/A\n\nquickly reconstituting minimum                           requirement to establish\nrequired capabilities following a                        a system for quickly\nsuccessful infrastructure attack?                        reconstituting minimum\n                                                         required capabilities\n                                                         following a successful\n                                                         infrastructure attack, it\n                                                         was required by the\n                                                         Departmental Manual\n                                                         (375 DM 19.4, H and K)\n                                                         to do so.\n\n A.20 Does the CIPP identify a\nmilestone for establishing the\n                                         X\nemergency management program?\n\n\n\n\n                                                                                     7\n\x0c                                                              Cause                           Estimated Estimated Estimate is\n                                                        If "No" Answer in                      Date of    Cost of   in Agency\n           Review Step                  Yes   No    N/A     Column (d)              Effect    Resolution Resolution CIP Budget   Recommendation\n              (a)(b)                    (c)   (d)   (e)         (f)                   (g)         (h)       (i)         (j)           (k)\n\n A.21 Does the CIPP require a\nreview of existing policies and\n                                              X         Departmental officials\n                                                        implemented a\n                                                                                        N/A      N/A        N/A        N/A            N/A\n\nprocedures to determine whether                         requirement for a\nthe agency should revise them to                        review that ensures\nreflect PDD 63 requirements?                            that PDD 63\n                                                        requirements are\n                                                        followed. In addition,\n                                                        this review is required\n                                                        by the Departmental\n                                                        Manual (375 DM 19.4,\n                                                        C).\n\nA.22 Does the CIPP identify a\nmilestone for reviewing existing\n                                              X         During our review,\n                                                        Department officials\n                                                                                        N/A     Jul-00      N/A        N/A            N/A\n\npolicies and procedures?                                implemented a\n                                                        requirement for annual\n                                                        milestones.\n A.23. Does the CIPP require the\nagency to ensure that security\n                                              X         Although the CIPP did\n                                                        not include a\n                                                                                        N/A      N/A        N/A        N/A            N/A\n\nplanning procedures are being                           requirement to ensure\nincorporated into the basic design of                   that security planning\nnew programs that include critical                      procedures were being\ninfrastructures, including provisions                   incorporated into the\nfor:                                                    basic design of new\n                                                        programs that include\na) Risk management and                                  critical infrastructures,\nassessments?                                            this is required by the\n                                                        Departmental Manual\n                                                        (375 DM 19.4,B).\n\nb) Security plans for IT systems?       X\nc) Security for command, control,\nand communications?\n                                        X\nd) Identification of classified or\nsensitive information?\n                                        X\ne) Awareness and training\nmeasures to be taken for each\n                                        X\nprogram?\n\n\n\n\n                                                                                    8\n\x0c                                                                 Cause                             Estimated Estimated Estimate is\n                                                           If "No" Answer in                        Date of    Cost of   in Agency\n           Review Step                     Yes   No    N/A     Column (d)                Effect    Resolution Resolution CIP Budget   Recommendation\n              (a)(b)                       (c)   (d)   (e)         (f)                     (g)         (h)       (i)         (j)           (k)\n\nA.24 Does the CIPP identify a\nmilestone for establishing\n                                                 X         Although the CIPP did\n                                                           not identify a milestone\n                                                                                             N/A      N/A        N/A        N/A            N/A\n\nprocedures to ensure that the                              for establishing\nagency incorporates security                               procedures to ensure\nplanning into the basic design of                          that the agency\nnew programs?                                              incorporates security\n                                                           planning into the basic\n                                                           design of new\n                                                           programs, it is required\n                                                           by the Departmental\n                                                           Manual (375 DM 19.4,\n                                                           B).\n\n A.25 Does the CIPP require the\nagency to incorporate its CIP\n                                                 X         The Department\'s CIPP\n                                                           does not require the\n                                                                                             N/A      N/A        N/A        N/A            N/A\n\nfunctions into its strategic planning                      agency to include\nand performance measurement                                Critical Infrastructure\nframeworks?                                                Planning functions in its\n                                                           strategic plan. This is\n                                                           because only one\n                                                           (BOR) of the eight\n                                                           bureaus is directly\n                                                           involved with Critical\n                                                           Infrastructure and then\n                                                           only in a small part of its\n                                                           overall program. The\n                                                           strategic plan\n                                                           concentrates on the\n                                                           major Departmental\n                                                           goals for protecting the\n                                                           environment, preserving\n                                                           natural and cultural\n                                                           resources, providing\n                                                           recreation, conducting\n                                                           scientific studies, and\n                                                           meeting responsibilities\n                                                           to American Indians.\n A.26 Does the CIPP identify a\nmilestone for incorporating its critical\n                                                 X         See response to A.25.             N/A      N/A        N/A        N/A            N/A\n\ninfrastructure protection functions\ninto its strategic planning and\nperformance measurement\nframeworks?\n\n\n\n\n                                                                                         9\n\x0c                                                             Cause                        Estimated Estimated Estimate is\n                                                       If "No" Answer in                   Date of    Cost of   in Agency\n          Review Step                  Yes   No    N/A     Column (d)            Effect   Resolution Resolution CIP Budget   Recommendation\n             (a)(b)                    (c)   (d)   (e)         (f)                 (g)        (h)       (i)         (j)           (k)\n\n A.27 Does the CIPP require\nagencies to identify resource and\n                                       X\norganizational requirements for\nimplementing PDD 63?\n\n A.28 Does the CIPP identify a\nmilestone for identifying resource\n                                             X         The milestone will be\n                                                       established pending the\n                                                                                  N/A       Sep-00    $270,000     N/A            N/A\n\nand organizational requirements for                    completion of the\nimplementing PDD 63?                                   vulnerability\n                                                       assessment work that\n                                                       is in progress.\n A.29 Does the CIPP require the\nagency to establish a program to\n                                       X\nensure that it has the personnel and\nskills necessary to implement a\nsound infrastructure protection\nprogram?\n\n A.30 Does the CIPP identify a\nmilestone for establishing a program\n                                       X\nthat would ensure that the agency\nhas the personnel and skills\nnecessary to implement a sound\ninfrastructure protection program?\n\n A.31 Does the CIPP require the\nagency to establish effective CIP\n                                       X\ncoordination with other applicable\nentities (foreign, state, and local\ngovernments and industry)?\n A.32 Does the CIPP identify a\nmilestone for establishing effective\n                                       X\nCIP coordination with other\napplicable entities (foreign, state,\nand local governments and\nindustry)?\n\n A.33 Are the agency\'s plans for the\ncontinuous / periodic review of its\n                                       X\nthreat environment:\n\na) Adequate?\n\n\n\n\n                                                                                 10\n\x0c                                                             Cause                                       Estimated Estimated Estimate is\n                                                       If "No" Answer in                                  Date of    Cost of   in Agency\n          Review Step                  Yes   No    N/A     Column (d)                    Effect          Resolution Resolution CIP Budget     Recommendation\n             (a)(b)                    (c)   (d)   (e)         (f)                         (g)               (h)       (i)         (j)             (k)\n\nb) Being implemented by the\nagency?\n                                             X         The Departmental\n                                                       Manual (375 DM 19.8)\n                                                                                   We believe that\n                                                                                   without adequate\n                                                                                                                                            Ensure that the Department\n                                                                                                                                            establishes and implements\n                                                       requires the Office of      documentation of                                         a requirement to document\n                                                       Information Resources       the review                                               the periodic threat review\n                                                       Management to conduct       process, there is a                                      process that includes\n                                                       periodic reviews.           lack of                                                  written notifications to\n                                                       Departmental IT officials   accountability for                                       bureaus concerning the\n                                                       told us that these          the actions taken.                                       review, analysis,\n                                                       reviews were                                                                         assessments, and\n                                                       performed for each                                                                   implementation of\n                                                       bureau but were not                                                                  corrective actions.\n                                                       documented. We\n                                                       believe that the review\n                                                       process should have\n                                                       included written\n                                                       notifications to bureaus\n                                                       concerning the review,\n                                                       analysis, assessments,\n                                                       and implementation of\n                                                       corrective actions and\n                                                       results of the review.\n\n B.1. Has the agency identified the\nfollowing cyber-based MEI:\n                                       X\na) People? (Staff, management,\nsecurity, and executives necessary\nto plan, organize, acquire, deliver,\nsupport, and monitor mission-related\nservices, information systems, and\nfacilities, including the groups and\nindividuals external to the\norganization involved in the\nfulfillment of the organization\'s\nmission.)\nb) Technology? (All hardware and\nsoftware, connectivity,\n                                       X\ncountermeasures, and/or\nsafeguards that are utilized in\nsupport of the core process.)\n\nc) Applications? (All application\nsystems, internal and external,\n                                       X\nutilized in support of the core\nprocess.)\n\n\n\n\n                                                                                        11\n\x0c                                                                Cause                          Estimated Estimated Estimate is\n                                                          If "No" Answer in                     Date of    Cost of   in Agency\n           Review Step                    Yes   No    N/A     Column (d)              Effect   Resolution Resolution CIP Budget    Recommendation\n              (a)(b)                      (c)   (d)   (e)         (f)                   (g)        (h)       (i)         (j)            (k)\n\nd) Data? (All data, electronic / hard\ncopy, and information required to\n                                          X\nsupport the core process. These\ndata include numbers, characters,\nimages, or other methods of\nrecording in a form that can be\nassessed by a human or input into a\ncomputer, stored and processed\nthere, or transmitted on some\ndigital/communications channel.)\n\ne) Facilities? (All facilities required\nto support the core processes,\n                                          X\nincluding the resources to house\nand support information technology\nresources, and the other resource\nelements defined above in question\nB.1.)\n B.2a Were the criteria used to\nidentify DOI\xe2\x80\x99s MEI consistent with the\n                                          X\ncriteria used by the CIAO to identify\nagency MEI? (See page 1, footnote\n1, for CIAO definition of agency MEI.)\n\n B.2b Did the agency use the CIAO\ninfrastructure asset evaluation\n                                                X         The CIPP was prepared N/A\n                                                          in June 1999, which\n                                                                                               N/A       N/A        N/A           N/A\n\nsurvey to identify its MEI assets?                        was before the\n                                                          effective date of the\n                                                          criteria (January 2000).\n\n B.3 Evaluate the adequacy of the\nagency\'s efforts to identify MEI and\n                                          X\nMEI interdependencies with\napplicable Federal agencies, state\nand local government activities, and\nindustry:\n\na) Has the agency identified assets\nconsistent with the MEI as defined in\nquestion B.2?\nb) Did the agency use the results of\nits Year 2000 (Y2K) work in\n                                          X\nidentifying the MEI?\n\n\n\n\n                                                                                      12\n\x0c                                                               Cause                             Estimated Estimated Estimate is\n                                                         If "No" Answer in                        Date of    Cost of   in Agency\n          Review Step                    Yes   No    N/A     Column (d)                 Effect   Resolution Resolution CIP Budget    Recommendation\n             (a)(b)                      (c)   (d)   (e)         (f)                      (g)        (h)       (i)         (j)            (k)\n\nc) Did the asset identification\nprocess include a determination of\n                                         X\nits estimated replacement costs,\nplanned life cycle, and potential\nimpact to the agency if the asset is\nrendered unusable?\n\nd) Has the agency established\nmilestones for identifying and\n                                         X\nreviewing its MEI?\ne) Is the agency meeting its\nmilestones?\n                                         X\n C.1 Has the agency performed and\ndocumented an initial vulnerability\n                                               X         Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A              Sep-00   See A. 28         N/A   N/A\n\nassessment and developed                                 assessment work that\nredemption plans for its MEI?                            is in progress.\n\n C.2 Did the vulnerability\nassessments address the threat\n                                                     X   Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A               N/A     N/A               N/A   N/A\n\ntype and magnitude of the threat, the                    assessment work that\nsource of the threats, existing                          is in progress.\nprotection measures, the probability\nof occurrence, damage that could\nresult from a successful attack, and\nthe likelihood of success if such an\nattack occurred?\nC.3 Did the redemption plans\naddress the vulnerabilities found\n                                                     X   Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A              Oct-00   N/A         N/A         N/A\n\nduring the assessment?                                   assessment work that\n                                                         is in progress.\n\n C.4 Has the agency determined the\nlevel of protection currently in place\n                                                     X   Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A              Aug-00   N/A         N/A         N/A\n\nfor its MEI?                                             assessment work that\n                                                         is in progress.\n C.5 Has the agency identified the\nactions that must be taken before it\n                                                     X   Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A              Aug-00   N/A         N/A         N/A\n\ncan achieve a reasonable level of                        assessment work that\nprotection for its MEI?                                  is in progress.\n\n C.6 If the answer to C. 5 is yes,\nhas the agency developed a related\n                                                     X   Pending the completion\n                                                         of the vulnerability\n                                                                                  N/A              Oct-00   N/A         N/A         N/A\n\nimplementation plan and mechanism                        assessment work that\nto monitor such implementation?                          is in progress.\n\n\n\n\n                                                                                        13\n\x0c                                                                Cause                             Estimated Estimated Estimate is\n                                                          If "No" Answer in                        Date of    Cost of   in Agency\n          Review Step                     Yes   No    N/A     Column (d)                 Effect   Resolution Resolution CIP Budget    Recommendation\n             (a)(b)                       (c)   (d)   (e)         (f)                      (g)        (h)       (i)         (j)            (k)\n\n C.7 Has the agency delegated\nresponsibility for vulnerability\n                                          X\nassessments to the agency CIO?\n\nC.8 Has the agency adopted a\nmulti-year funding plan that\n                                                X         BOR has identified\n                                                          estimated funding\n                                                                                  N/A               Oct-00   N/A       N/A           N/A\n\naddresses the identified threats?                         needs for Its security-\n                                                          related issues. These\n                                                          will need further\n                                                          refinement once results\n                                                          of Sandia National\n                                                          Laboratory (SNL)\n                                                          recommendations have\n                                                          been evaluated.\n C.9 Has the agency reflected the\ncost of implementing a multi-year\n                                                X         Estimated adjustments\n                                                          to the FY 2001 budget\n                                                                                   N/A              Sep-00   N/A       N/A           N/A\n\nvulnerability redemption plan in its FY                   have been made.\n2001 budget submission to the                             Determination of more\nOffice of Management and Budget?                          precise requirements\n                                                          will result from the\n                                                          evaluation of the SNL\n                                                          recommendations.\n\n C.10 Did the vulnerability\nassessments query national threat\n                                                      X   Pending the completion\n                                                          of the vulnerability\n                                                                                   N/A              Sep-00   N/A       N/A           N/A\n\nguidance for international, domestic,                     assessment work that\nand state-sponsored                                       is in progress.\nterrorism/information warfare (e.g.,\nfrom the Department of Defense,\nFBI, NSA, and other Federal and\nstate agencies)?\n\n C.11 Has the agency prioritized the\nthreats according to their relative\n                                                      X   Pending the completion\n                                                          of the vulnerability\n                                                                                   N/A              Sep-00   N/A       N/A           N/A\n\nimportance?                                               assessment work that\n                                                          is in progress.\n C.12 Has the agency assessed the\nvulnerability of its MEI to possible\n                                          X\nfailures that could result from\ninterdependencies with applicable\nFederal agencies, state and local\ngovernment activities, and private\nsector providers of\ntelecommunications, electrical\npower, and other infrastructure\nservices?\n\n\n\n                                                                                         14\n\x0c                                                            Cause                             Estimated Estimated Estimate is\n                                                      If "No" Answer in                        Date of    Cost of   in Agency\n         Review Step                  Yes   No    N/A     Column (d)                 Effect   Resolution Resolution CIP Budget    Recommendation\n            (a)(b)                    (c)   (d)   (e)         (f)                      (g)        (h)       (i)         (j)            (k)\n\n C.13 Do the processes used to\nidentify and reflect new threats to\n                                      X\nthe agency\'s MEI appear adequate?\n\n C.14 Do the results of the\nvulnerability assessments\n                                                  X   The preparation of\n                                                      security policies and\n                                                                               N/A              Sep-00   N/A       N/A           N/A\n\nnecessitate revisions to agency                       procedures are\npolicies that govern the management                   currently ongoing, along\nand protection of agency MEI?                         with the vulnerability\n                                                      assessment.\n C.15 Did the results of the ERT\ncoincide with answers derived from\n                                      X\nquestions A.1 through C.14?\n\n\n\n\n                                                                                     15\n\x0c                                                                    APPENDIX 3\n\n    STATUS OF EVALUATION REPORT RECOMMENDATIONS\n\nRecommendation\n   Reference         Status                       Action Required\n\n   1 and 2       Resolved; not   No further response to response to the Office of\n                 implemented     Inspector General is required. The\n                                 recommendations will be referred to your Office\n                                 of Financial Management for tracking of\n                                 implementation.\n\n\n\n\n                                     16\n\x0c                  ILLEGAL OR WASTEFUL ACTIVITIES\n                      SHOULD BE REPORTED TO\n                 THE OFFICE OF INSPECTOR GENERAL\n\n\n\n                     Internet Complaint Form Address\n\n\n                   http://www.oig.doi.gov/hotline_form.html\n\n\n                  Within the Continental United States\nU.S. Department of the Interior                        Our 24-hour\nOffice of Inspector General                            Telephone HOTLINE\n1849 C Street, N.W.                                    1-800-424-5081 or\nMail Stop 5341 - MIB                                   (202) 208-5300\nWashington, D.C. 20240-0001\n                                                       TDD for hearing impaired\n                                                       (202) 208-2420\n\n                  Outside the Continental United States\n\n                                    Caribbean Region\n\nU.S. Department of the Interior                        (703) 235-9221\nOffice of Inspector General\nEastern Division - Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22203\n\n                                     Pacific Region\n\nU.S. Department of the Interior                        (671) 647-6060\nOffice of Inspector General\nGuam Field Pacific Office\n415 Chalan San Antonio\nBaltej Pavilion, Suite 306\nAgana, Guam 96911\n\x0c           H OT LI N E\nU.S. Department of the Interior\nOffice of Inspector General\n1849 C Street, NW\nMail Stop 5341- MIB\nWashington, D.C. 20240-0001\n\nToll Free Number\n      1-800-424-5081\n\nCommercial Numbers\n   (202) 208-5300\n   TDD (202) 208-2420\n\x0c'